3.Prepare the block device for the drbd (preferably use LVM as it now supports lvmraid with reshape and takeover):
In my case I'm adding 1 qcow2 disk with a serial number (cat /dev/urandom | tr -cd A-Za-z0-9 | head -c 32 ; echo) defined and same size on both machines:

Notes:
A)target_iqn must mach the iqn defined during the creation of the target resource
B)If no allowed_initiators are defined for the 'ocfiSCSITarget' resource - everyone is allowed to access the iSCSI Target

13.Service relocation test.
The relocation is needed in order to generate AVC denials in the /var/log/audit/audit.log

After some testing, I have noticed that setting the 'allowed_initiators' in the iscsi-lun0 resource did not work, thus I have modified step 12 to represent a working solution.

If the iSCSI Initiators will use the iscsi-lun0 as a PV -> then we should add the device into the 'global_filter' section of our DRBD clusters' lvm.conf, otherwise the drbd device will be kept as primary on both nodes and this will cause havoc in your cluster.
Here is a short example:

In clustered environment you should not use targetcli,but provide all details to cluster.
Sadly, it took redhat more than an year to fix a bug in the iSCSI resource ...
As far as I remember , just follow the guide. I'm using LVs with the same name, so the drbd conf is quite straightforward.

What version of the resources are you using?
I think the iSCSI bug I have reported is still not available in CentOS.
Try the debug procedure described in https://bugzilla.redhat.com/show_bug.cgi?id=1598969
If you see the same error - you can use the workaround until RH publish the fix.
Edit: According to bugzilla, it should be fixed in 'resource-agents-4.1.1-20.el7'